Re: [DNSOP] IETF 102 Hackathon: prototype implementation of draft-wessels-dns-zone-digest-02

"Wessels, Duane" <dwessels@verisign.com> Wed, 18 July 2018 18:36 UTC

Return-Path: <dwessels@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E90DE130F62 for <dnsop@ietfa.amsl.com>; Wed, 18 Jul 2018 11:36:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7l2snzW90naz for <dnsop@ietfa.amsl.com>; Wed, 18 Jul 2018 11:36:42 -0700 (PDT)
Received: from mail1.verisign.com (mail1.verisign.com [72.13.63.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 09FA2130F5E for <dnsop@ietf.org>; Wed, 18 Jul 2018 11:36:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=9011; q=dns/txt; s=VRSN; t=1531939002; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=nGUbtvR3whE632Iggv9ZItGHe+RMSgg4wmdCIlcLZhI=; b=GPtYdISC55bX9u78Wre6z5PxABnAOEGty2DdifuwnkYRBqd0o9MCiJyp ALpTIZ9t1XPnWFp0HHovHQIbCzEcK0H4Rc0rK3nFx3wkWaSl71YXvSuNa 3CTxaFdZwisH2N1W5xePvwAtJ9QwBKIcNsPGl7vgVcuEpnJoO0snmcwuC LqVDzQk1axefmyenpWtJk0YhJf/+e7jfad3RDDLLUxZAeA+J3787Z2u+h TImYV/1GJAH2AgA4U7tAchfRxShsihoaSsYuHQmdx0WN6XhageLQhlZX7 mGE/LaJWD3IVx1S1ZR1CWl7ozJcIyWYPIVSkzn/23GT7YA7jJ6+Hrqjdr w==;
X-IronPort-AV: E=Sophos; i="5.51,371,1526342400"; d="p7s'?scan'208"; a="7212897"
IronPort-PHdr: =?us-ascii?q?9a23=3AfVK2NRDSzkYUx1E9EszRUyQJP3N1i/DPJgcQr6Af?= =?us-ascii?q?oPdwSPX8r8bcNUDSrc9gkEXOFd2Cra4c1ayO6+jJYi8p2d65qncMcZhBBVcuqP?= =?us-ascii?q?49uEgeOvODElDxN/XwbiY3T4xoXV5h+GynYwAOQJ6tL1LdrWev4jEMBx7xKRR6?= =?us-ascii?q?JvjvGo7Vks+7y/2+94fcbglUhTexe69+IAmrpgjNq8cahpdvJLwswRXTuHtIfO?= =?us-ascii?q?pWxWJsJV2Nmhv3+9m98p1+/SlOovwt78FPX7n0cKQ+VrxYES8pM3sp683xtBnM?= =?us-ascii?q?VhWA630BWWgLiBVIAgzF7BbnXpfttybxq+Rw1DWGMcDwULs5Qiqp4bt1RxD0iS?= =?us-ascii?q?cHLz85/3/Risxsl6JQvRatqwViz4LIfI2ZMfxzdb7fc9wHX2pMRsZfWTJcDIOg?= =?us-ascii?q?YYUBDOQBMuRZr4bhqFQDthS+CRWpBO711jNEmmH60Ksn2OohCwHG2wkgEsoAvH?= =?us-ascii?q?vUstr1L7wSXv6xzKnT1TnIcv1Y2Srn54jObB8tr+yHULVtfsvf10YvDBjFgUuU?= =?us-ascii?q?qYz+JD6VyPoCs3Ka7+p7VOKvhGgnpxttrTiow8chk4/EjZ8bxFDD8CV22oc1Jd?= =?us-ascii?q?ugRU50YN6kDJtQtzyBOIdsXswiRGRotSAnwbMFoZ62ZDUGxIg9yxLCafGKfZKE?= =?us-ascii?q?7g/jWeufOzt1i3FodKqiixqu60Ss1+/xWtWu3FpXoSdIkcPAum0O2hDL5MiIVP?= =?us-ascii?q?hw8luk1DuKzQ/e6eVJLlsxmKfVNZIu3789m58IvknHHyL7mkD7gaGYe0gm5+el?= =?us-ascii?q?7fnsbK/8qZ+GLYB0jxnzMqEpmsOiH+s1KhMOX22H+eSk073j4FH5TK1KjvIolq?= =?us-ascii?q?nZt4jXKNkHqKChHgNa0p4t5Rm+ADu6zdgUh2cHI05CeBKdl4jlIUvBL+3iAfeh?= =?us-ascii?q?mVSsizFry+raMb3mB5XBNnnDkLH/crZh80NQ1RY/wcpC659WBLwNOu//V0//ud?= =?us-ascii?q?DCARI0MBS4w+P9B9V80oMeV3iPAqicMK7KrFCJ6PwgI/KXZIALvDb9MOMo5+Dw?= =?us-ascii?q?gn8jmF8dZqip3ZQRaHyiAvtmJECZbWL2gtgdCWcKohY+TOvyhV2ZUT5cfXCyUL?= =?us-ascii?q?wn6zEnCYKmCJnMSpmxgLybxii7AINZZmRCCl+SC3fobJ+IW/AWaCKdOsVhiCAL?= =?us-ascii?q?VaC9S4890hGjrBL1y7x8LurT4i0VrpPj28Zp5+3djx0y8iZ0D8vOm12KGlp0l2?= =?us-ascii?q?UFDxw7xro39Vd9w1GO+bR5hvEdCcZa+f5NVgogLtjb1eMsWP7oXQeUNOiEU02r?= =?us-ascii?q?Rs7iSR0sR9Q8iZdab1lwAM6vigvrwSewAqQUmLrND5sxpPGPl0PtLtpwni6VnJ?= =?us-ascii?q?IqiEMrF44WbTWr?=
X-IPAS-Result: =?us-ascii?q?A2GBAQBOh09b/zCZrQpcGgEBAQEBAgEBAQEIAQEBAYQsgSc?= =?us-ascii?q?KmgwklTmBPzsIAyMLhD4Cgxs1FwECAQEBAQEBAgEBAoEFDII1JAEKBEs6MAEBA?= =?us-ascii?q?QEBAQEBAQEBAQEBARoCDWMBAQEBAgF5BQsCAQgYIwsCMCUCBA4FDoMSAYF3F6s?= =?us-ascii?q?fij0KBYpaPoE4DIJegUGBTAwChRKCJAKHbYoHh2wDBgKDW4FZVIkrgTaEEYgRi?= =?us-ascii?q?juHNQIEAgQFAhSBQgGCCXAVZQGCPoIxHIM0ilJvikQrgQGBGgEB?=
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1466.3; Wed, 18 Jul 2018 14:36:40 -0400
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d]) by BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d%5]) with mapi id 15.01.1466.003; Wed, 18 Jul 2018 14:36:40 -0400
From: "Wessels, Duane" <dwessels@verisign.com>
To: Shane Kerr <shane@time-travellers.org>
CC: "dnsop@ietf.org" <dnsop@ietf.org>
Thread-Topic: [EXTERNAL] [DNSOP] IETF 102 Hackathon: prototype implementation of draft-wessels-dns-zone-digest-02
Thread-Index: AQHUHGsFkfdLLiFUM0KZSCgbZhElpqSVlrqA
Date: Wed, 18 Jul 2018 18:36:40 +0000
Message-ID: <E92190FF-6520-428C-B5D6-37E8175D1EE9@verisign.com>
References: <3e5675e4-3ae0-f21c-7e3a-e9214953888e@time-travellers.org>
In-Reply-To: <3e5675e4-3ae0-f21c-7e3a-e9214953888e@time-travellers.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.170.148.18]
Content-Type: multipart/signed; boundary="Apple-Mail=_2DAA6F14-849A-4EA1-A463-8905EE5E227A"; protocol="application/pkcs7-signature"; micalg=sha1
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/axC6RQ1qxeZSzenIrgfdSGDQYWU>
Subject: Re: [DNSOP] IETF 102 Hackathon: prototype implementation of draft-wessels-dns-zone-digest-02
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jul 2018 18:36:45 -0000

> On Jul 15, 2018, at 11:37 AM, Shane Kerr <shane@time-travellers.org> wrote:
> 
> Bonjour,
> 
> I decided to implement draft-wessels-dns-zone-digest-02 at the IETF 102 Hackathon. As expected, it is fairly straightforward. You can see the code on GitHub:
> 
> https://github.com/shane-kerr/ZoneDigestHackathon

Thanks Shane!


> It seems to work, although since I have no other implementation to compare against I can't be sure that the digest values are in any way correct.

My own implementation, alluded to in the draft, is here:

https://github.com/verisign/draft-dns-zone-digest/tree/master/impl

I have a few test cases in the Tests directory.

> 
> In proper hackathon style there are no tests. Bugs surely abound. If you use it in production please keep a fire extinguisher handy.
> 
> I found the draft to be clear and fairly complete, although I have a few suggestions:
> 
> * It might be worth mentioning that names are expected to be
>  uncompressed. It's kind of obvious, but it might trick up some
>  implementations.

The draft says "It also adopts DNSSEC's canonical RR form (Section 6.2 of [RFC4034])" in one place and "calculated by concatenating the canonical on-the-wire form of all RRs" later.  I wouldn't object to being more explicit.  Do you want to propose some text or shall I take a stab?

> 
> * The TTL of the ZONEMD record has to come from somewhere. It can either
>  come from configuration or pulled from somewhere else (I used the TTL
>  of the SOA record). This should be documented.

I also used the SOA TTL in my implementation.  I can make that a recommendation in the draft.

> 
> * It might be worthwhile giving some recommendations or even
>  requirements about what to do with failures. For example, something
>  like "secondary servers who receive a zone that fails a digest
>  validation SHOULD NOT serve the zone".

Happy to add something like that.

> 
> * Having some example zones and the expected digest values would be very
>  useful for implementers.

Agreed.  I would like to have some examples as an appendix in the document.

DW